It’s no secret that most organizations need to dramatically improve their incident detection and response and vulnerability management (VM) programs. How many major security breaches could organizations avert if they could detect and address them at the start, when they’re still just minor incidents?
Industry statistics show that actual mean-time-to-responses (MTTRs) for security incidents are very slow — measured in days, weeks, or more, not the minutes or hours necessary to dramatically reduce the risk of a significant breach. In fact, IBM’s Cost of a Data Breach report found that it took organizations an average of 207 days to detect, let alone address, cybersecurity incidents in 2020. Not surprisingly, in countless security breach retrospectives, the excessive exposure windows leading up to breaches are often found to be key contributors to the ultimate blast radii of these events.
SOAR to a better response
But what causes this excessive exposure? This depends on the organization and certainly can’t be attributed to any one thing, but practically every organization has too many security alerts and software vulnerabilities and not enough people or time to investigate or appropriately respond to them all.
So, what is the answer? More people? This is typically unrealistic, as candidates are hard to find and expensive once you do find them. Reduce the number of alerts? Sure, but which ones? If they require an investigation to differentiate false positives from true breaches, which alerts should you turn off?
Clearly a key part of the answer is to automate as much of the incident response and VM processes as possible. If you can respond to some of the alerts and vulnerabilities completely (or mostly) automatically, all the better!
This is what security orchestration, automation, and response (SOAR) systems, such as Rapid7’s InsightConnect, were created to do. But a SOAR platform on its own doesn’t solve the automation problem — it is just a platform, after all. Organizations also need the applications that run in and bring the SOAR platform to life. Sometimes called playbooks or workflows, these applications deliver the data, decisioning, integration, and communication necessary to automate incident response, as well as the processes necessary to prioritize and patch vulnerabilities.
But like the problem of rebuilding a plane while simultaneously flying it, how does a slammed IR, SOC, or VM team find the time to create these automation applications while continuing to address the issues that are continuously rolling in?
Strength in numbers: The power of crowdsourcing workflows
Increasingly, we believe the answer lies in crowdsourcing workflows from their SOAR product community.
One of the key values of SOAR platforms is that they’re in effect specialized security communities with which users can share, customize, and run incident response, VM, and other types of workflows. With InsightConnect, users can pull integrations and incident response and VM workflows from the Extension Library and apply them quickly and easily to the specific needs of the organization. But what really makes this library great is the current and future applications — workflows — that you can find and check out.
Building on the hundreds of existing workflows contributed by Rapid7’s security experts, SOC analysts, and incident responders, we’ve recently taken the Extension Library to the next level by opening it up to submissions from customers and partners. Recently, we released our Contribute an Extension online process. This highly curated workflow submission system enables Rapid7 customers and partners to safely share their favorite workflows with the community.
In the spirit of open source software, Rapid7 acts as the curator of these submissions and vets them for privacy, security, and basic utility. We believe this expanded Extension Library experience will help organizations energize their incident response and VM programs and, by applying best practices and automation, reduce the likelihood of experiencing a major security incident.
The variety of potential automation applications are only limited by the community's imagination — they aren’t even limited to pure incident response or VM automations. Any processes that security teams do repetitively and largely manually are excellent candidates for automation. Most security teams could certainly do with some help energizing — and some fresh insights from fellow practitioners might just be the spark they need.